| عنوان | sourcecodester Computer Inventory System 1.0 SQL Injection |
|---|
| الوصف | The Computer Inventory System by SOURCECODESTER has a critical SQL Injection vulnerability in its /endpoint/delete-computer.php component. This flaw allows attackers to manipulate SQL queries by injecting malicious SQL code through the computer parameter in the URL. The vulnerable code snippet does not properly sanitize user input, directly incorporating user-supplied data into the SQL query. This oversight enables an attacker to execute arbitrary SQL commands against the database, potentially leading to unauthorized data deletion, data leakage, or complete database compromise. The provided HTTP request example demonstrates how an attacker could exploit this vulnerability by appending a conditional SQL statement (1' or '1'='1) to the computer parameter, effectively altering the query's logic to execute unintended actions. This security issue underscores the necessity of employing prepared statements or proper input validation mechanisms to protect against SQL Injection attacks, thereby safeguarding the integrity and confidentiality of the database. |
|---|
| المصدر | ⚠️ https://github.com/skid-nochizplz/skid-nochizplz/blob/main/TrashBin/CVE/SOURCECODESTER%20Computer%20Inventory%20System%20Using%20PHP/SQL%20Injection%20delete-computer.php%20.md |
|---|
| المستخدم | nochizplz (UID 64302) |
|---|
| ارسال | 28/02/2024 02:19 PM (2 سنوات منذ) |
|---|
| الاعتدال | 01/03/2024 08:16 AM (2 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 255382 [SourceCodester Computer Inventory System 1.0 delete-computer.php computer حقن SQL] |
|---|
| النقاط | 20 |
|---|